Digital Evidence in Turkish Criminal Proceedings: Collection, Preservation and Challenges
yazarı lawyerfbc
açık Mayıs 25, 2026

Introduction

Digital evidence has become one of the most decisive forms of proof in Turkish criminal proceedings. In modern criminal files, evidence may no longer be limited to witness statements, physical documents, fingerprints or camera footage. Mobile phones, computers, e-mail accounts, social media profiles, cloud storage, server logs, IP records, bank transactions, messaging applications, digital photographs, location data, call records, deleted files and metadata may determine the outcome of a criminal investigation.

This is especially important in cybercrime cases, fraud investigations, sexual offences, threats, defamation, blackmail, drug crimes, organized crime, corruption, financial crimes, data protection violations and workplace-related criminal disputes. A single WhatsApp message, IP log, e-mail header, deleted file, device extraction report or server timestamp may become the main evidence in the file.

Under Turkish law, digital evidence must be collected, preserved, examined and presented in accordance with criminal procedure rules. The most important provision is Article 134 of the Turkish Criminal Procedure Code No. 5271, which regulates search, copying and seizure of computers, computer programs and computer records. The Council of Europe’s Turkey cybercrime profile also identifies Criminal Procedure Code Article 134 as the relevant provision for search and seizure of computer data, together with provisions on interception of communications and technical surveillance.

This article provides a comprehensive legal guide to digital evidence in Turkish criminal proceedings, focusing on collection, preservation, admissibility, chain of custody, forensic examination, cybercrime investigations, personal data issues and defence challenges.

1. What Is Digital Evidence?

Digital evidence refers to information stored, transmitted or processed in electronic form that may be used to prove or disprove a fact in criminal proceedings. It can exist in physical devices, online accounts, cloud systems, corporate servers, mobile applications, communication networks or digital platforms.

Examples of digital evidence include:

  • Mobile phone data.
  • Computer files.
  • Deleted documents.
  • E-mail correspondence.
  • E-mail headers.
  • WhatsApp, Telegram, Signal or SMS messages.
  • Social media posts and private messages.
  • IP address records.
  • Server logs.
  • Firewall logs.
  • Browser history.
  • Cloud storage records.
  • Bank transaction logs.
  • Cryptocurrency wallet activity.
  • Metadata of photographs and videos.
  • GPS and location records.
  • Call detail records.
  • CCTV footage.
  • Access control records.
  • Application usage logs.
  • Digital signatures.
  • Electronic invoices.
  • System audit trails.

Digital evidence is powerful because it may show time, place, identity, communication, access, transaction, intention and sequence of events. However, it is also fragile. It can be deleted, altered, overwritten, remotely modified, encrypted or taken out of context. For this reason, digital evidence must be handled carefully.

2. Legal Basis: CMK Article 134

The main procedural basis for collecting computer-based digital evidence in Turkish criminal proceedings is Article 134 of the Criminal Procedure Code. Article 134 allows search, copying and seizure of computers, computer programs and computer records where there are strong suspicions based on concrete evidence and no other way to obtain evidence. The provision also allows the judge, or in urgent cases the public prosecutor, to decide that computers, programs and logs used by the suspect may be searched, copied, deciphered and converted into text.

This provision is significant because digital evidence collection interferes with privacy, communication, property, personal data and defence rights. A computer or mobile phone may contain not only offence-related data but also private photos, attorney-client communications, family messages, health records, commercial secrets and unrelated personal information.

Therefore, Article 134 is not a simple technical search rule. It is a procedural safeguard. It requires concrete suspicion, necessity and lawful authorization. Evidence collected outside legal limits may be challenged in criminal proceedings.

3. Search, Copying and Seizure of Digital Devices

In practice, digital evidence collection may involve searching a device, making forensic copies, seizing hardware, extracting files, recovering deleted data, analyzing communication records or converting digital records into readable form.

The proper method is usually not to directly browse a suspect’s phone or computer in an uncontrolled way. Instead, the device should be secured, imaged and examined through forensic methods. A forensic image is a bit-by-bit copy of digital storage, usually supported by hash values to verify integrity. Hash values help demonstrate that the copied data has not changed between collection and examination.

The distinction between copying and seizure is important. Where possible, authorities may make a copy and return the device, especially if the device is needed for business or personal life. However, if copying is not possible, if password protection prevents access, or if examination will take time, seizure may occur under the conditions of the law.

From a defence perspective, counsel should examine whether the Article 134 decision was specific enough, whether the search exceeded its scope, whether irrelevant private data was included, whether imaging was properly performed and whether chain of custody was preserved.

4. Chain of Custody

Chain of custody is one of the most important concepts in digital evidence. It refers to the documented history of evidence from the moment it is collected until it is presented in court. A proper chain of custody should show who collected the evidence, when it was collected, where it was stored, who accessed it, how it was copied, whether it was sealed, whether hash values were taken and whether the evidence remained unchanged.

In digital evidence cases, chain of custody problems may seriously weaken the prosecution’s case. If a device was handled by several people without documentation, if logs were copied without hash verification, if a USB drive was not sealed, if screenshots were produced without source data or if data was extracted by an unauthorized person, the reliability of the evidence may be challenged.

Turkish courts may rely heavily on expert reports. However, an expert report is only as strong as the evidence it examines. If the original data source is unreliable, contaminated or incomplete, the expert conclusion may also be challenged.

A well-prepared defence should ask:

  • Who first obtained the digital evidence?
  • Was the device sealed?
  • Was a forensic image created?
  • Were hash values calculated?
  • Was the original device preserved?
  • Were access logs documented?
  • Was evidence stored securely?
  • Was the examination limited to the judicial authorization?
  • Were unrelated private materials filtered?
  • Can the same findings be independently verified?

5. Forensic Imaging and Hash Verification

Forensic imaging is a key method for preserving digital evidence. Instead of examining the original device directly, forensic experts create an exact copy. The copy is then examined, while the original is preserved. This reduces the risk of altering original data.

Hash verification supports integrity. A hash value is a unique digital fingerprint of a file or image. If even a small change occurs in the data, the hash value changes. Therefore, hash values help prove that the evidence examined by the expert is the same as the evidence collected.

In criminal proceedings, forensic imaging and hash verification may become decisive in disputes about manipulation. For example, if the defence claims that files were planted, messages were edited or logs were altered, hash records and chain of custody documentation can support or weaken that claim.

For victims and complainants, this also matters. If a victim submits screenshots only, the defence may argue that the images were edited. If the victim provides the original device, original message export, e-mail headers, platform records or notarized determination, the evidence becomes stronger.

6. Screenshots as Digital Evidence

Screenshots are frequently submitted in Turkish criminal cases, especially in defamation, threats, harassment, blackmail, fraud, social media crimes and family-related criminal disputes. Screenshots may be useful, but they are often weak if unsupported.

A screenshot may show what appeared on a screen at a certain moment, but it may not prove the source, authenticity, date, sender, IP address, metadata or whether the content was edited. Screenshots can be fabricated or manipulated. They may also omit context.

Therefore, screenshots should be supported by stronger evidence, such as:

  • Original device examination.
  • Platform records.
  • E-mail headers.
  • URL and timestamp information.
  • Notarial determination.
  • Metadata.
  • Witness statements.
  • Account ownership records.
  • IP logs.
  • Server records.
  • Communication export files.

For example, in a threat case based on WhatsApp messages, screenshots may be supported by original phone examination, chat export, phone number records and witness statements. In a social media defamation case, screenshots may be supported by URL records, platform account data and access logs.

7. E-Mail Evidence and E-Mail Headers

E-mails are common digital evidence in fraud, workplace crimes, commercial disputes, cybercrime, threats and forgery cases. However, printing an e-mail body is usually not enough. E-mail headers may reveal routing information, sender servers, timestamps, message IDs and technical details that help verify authenticity.

In phishing or business e-mail compromise cases, e-mail headers may show whether an e-mail truly came from a known company domain or from a spoofed address. They may also help identify mail servers, suspicious routing or compromised accounts.

A strong digital evidence strategy should preserve the original e-mail in its native format. Forwarding or copying the text into a document may destroy important technical information. If e-mail evidence is important, the original mailbox, server records and headers should be preserved as early as possible.

8. IP Address Evidence

IP address records are often used in cybercrime investigations. They may help identify the internet connection used for unauthorized access, online fraud, account login, illegal content upload or communication with a digital platform.

However, IP evidence has limitations. An IP address does not always prove the identity of the person who used the connection. A home Wi-Fi network may be shared by family members, guests or neighbours. A workplace connection may be used by many employees. Public Wi-Fi may be used by unknown users. VPN, proxy, TOR, remote desktop tools or malware may hide or distort the real user. Dynamic IP addresses may change over time.

Therefore, IP evidence should be evaluated with other evidence, such as device records, account login patterns, phone data, location, browser history, messages, bank records, camera footage and motive. A conviction based only on an IP address may be vulnerable if identity is not otherwise established.

For defence lawyers, common challenges include:

  • Whether the IP allocation record is accurate.
  • Whether the timestamp includes the correct time zone.
  • Whether the relevant port number is needed.
  • Whether multiple users had access to the network.
  • Whether the device used was identified.
  • Whether VPN or proxy use is possible.
  • Whether malware or remote control is possible.
  • Whether the accused personally controlled the device.

9. Mobile Phone Evidence

Mobile phones are often the richest source of digital evidence. They may contain messages, call logs, photos, videos, location history, app data, bank applications, social media accounts, browser history, deleted files, contacts, notes and cloud synchronization records.

Because phones contain extremely private information, their examination must be limited, lawful and proportionate. A phone search should not become an unlimited search into a person’s entire private life. The authorization should be connected to the investigation and relevant data categories.

In criminal defence, counsel should examine whether the phone was seized lawfully, whether the examination stayed within the scope of the decision, whether unrelated private data was added to the file, whether privileged communications were protected and whether the extraction report is technically reliable.

For victims, phone evidence should be preserved before messages are deleted or applications are reinstalled. In harassment, threat or blackmail cases, victims should avoid deleting messages, blocking without preserving evidence or factory-resetting the device.

10. Cloud Evidence and Cross-Border Challenges

Many digital records are stored not on local devices but in cloud systems. E-mails, documents, photos, backups, application data, messaging history, corporate files and logs may be stored on servers abroad. This creates jurisdictional and practical challenges.

Turkish authorities may need platform cooperation, mutual legal assistance or international cooperation channels to obtain certain records. Delays may occur. Data may be deleted under platform retention rules. Some platforms may require specific legal requests. Some data may not be available because of end-to-end encryption.

Therefore, parties should preserve locally available evidence immediately. For example, a victim should save the original e-mail, take screenshots with URLs, export messages where possible, preserve transaction records and identify account details. Companies should preserve server logs, cloud audit logs, user access records and admin activity records before retention periods expire.

11. Digital Evidence in Cybercrime Cases

Digital evidence is central in cybercrime cases such as unauthorized access, system interference, phishing, ransomware, credit card misuse, online fraud and data breach investigations. The Council of Europe’s Turkey cybercrime profile identifies Turkish Penal Code Articles 243, 244, 245 and 245/A as core cybercrime provisions and refers to Criminal Procedure Code Article 134 for search and seizure of computer data.

In an unauthorized access case, evidence may include login logs, IP records, device identifiers, password reset records, e-mail notifications and account activity.

In a ransomware case, evidence may include malware samples, encryption timestamps, ransom notes, server logs, cryptocurrency wallet addresses, firewall records and backup deletion records.

In a phishing case, evidence may include fake URLs, SMS messages, e-mail headers, bank transfer records, recipient IBAN details, hosting data and domain registration records.

In a bank card misuse case, evidence may include transaction records, 3D Secure logs, merchant information, delivery addresses, IP data and CCTV footage.

Each type of cybercrime requires a different evidence plan. A generic criminal complaint may fail if it does not identify the specific digital evidence that must be collected urgently.

12. Provider Records and Law No. 5651

In internet-related offences, provider records may be essential. Hosting providers, access providers, content providers, social network providers and platform operators may hold relevant traffic data, account records, access logs or content information.

Law No. 5651 regulates internet actors and provider obligations in Turkey. Legal commentary on the law notes that hosting providers are required to retain traffic data relating to hosting activities and that access providers have obligations concerning access blocking and traffic-related records.

In practice, provider records may help determine:

  • Who uploaded unlawful content.
  • Which IP address accessed an account.
  • Which server hosted a phishing website.
  • When a domain was active.
  • Whether illegal content was removed.
  • Whether a social media account was linked to certain contact details.
  • Whether access logs still exist.

Timing is critical. Provider logs may not be retained indefinitely. A delayed complaint may result in loss of evidence. Therefore, petitions should request urgent preservation and collection of relevant traffic and access records.

13. Personal Data and Digital Evidence

Digital evidence often contains personal data. Phones, computers, e-mails, server logs, bank records and cloud accounts may include identity information, health data, financial data, private messages, photographs, location data and professional secrets.

The Turkish Personal Data Protection Law No. 6698 becomes relevant where digital evidence includes personal data, especially in corporate investigations and cyber incidents. The Personal Data Protection Board’s Decision No. 2019/10 states that where personal data breach notification cannot be made within 72 hours, the reasons for delay should be attached to the notification, and information may be provided gradually without delay if all details cannot be supplied at once.

This matters in criminal proceedings because evidence collection must be balanced against privacy and data protection. Companies investigating employee misconduct, cyber fraud or data breaches should avoid uncontrolled copying of all employee data. Internal investigations should be limited, documented, lawful and proportionate.

If a cyber incident involves personal data obtained by third parties unlawfully, the company may need to assess both criminal complaint strategy and KVKK notification obligations.

14. Internal Corporate Investigations

Companies frequently conduct internal investigations before filing criminal complaints. For example, a company may investigate unauthorized access by a former employee, deletion of files, transfer of customer data, fake invoice fraud, misuse of corporate cards or ransomware.

However, internal digital evidence collection carries legal risks. If the company collects employee communications unlawfully, violates privacy, alters logs, fails to preserve original data or conducts an overly broad search, the evidence may be challenged. The company may also face separate legal exposure.

A proper internal investigation should include:

  • Written scope.
  • Legal basis for review.
  • Limited access to relevant data.
  • Preservation of original logs.
  • Forensic copying where necessary.
  • Hash verification.
  • Documentation of each step.
  • Separation of privileged or private data.
  • Coordination with legal counsel.
  • Careful preparation of criminal complaint.

Companies should avoid informal “IT checks” that change metadata, overwrite logs or create uncertainty about who accessed the data.

15. Admissibility of Digital Evidence

Under Turkish criminal procedure, evidence must be lawfully obtained. Unlawfully obtained evidence may be excluded and cannot form the basis of a conviction. This principle is especially important for digital evidence because privacy rights are easily affected.

Potential admissibility problems include:

  • Device search without proper authorization.
  • Examination exceeding the scope of the judicial decision.
  • Unlawful access to private accounts.
  • Screenshots obtained by hacking.
  • Recording private communications unlawfully.
  • Manipulated or unverifiable digital files.
  • Broken chain of custody.
  • Lack of forensic integrity.
  • Incomplete expert examination.
  • Failure to preserve original evidence.
  • Use of privileged attorney-client communications.

The defence should raise these issues clearly and specifically. It is not enough to say “the evidence is unlawful.” The petition should identify which evidence is unlawful, how it was obtained, which procedural rule was violated and why it should not be relied upon.

16. Expert Reports and Objections

Digital evidence is often evaluated by court-appointed experts. Expert reports may analyze devices, recover deleted data, examine logs, compare timestamps, identify user activity, verify files, assess malware, analyze bank records or interpret IP data.

However, expert reports are not immune from challenge. A report may be incomplete, technically weak, based on insufficient data or outside the expert’s field. It may fail to answer key questions, ignore alternative explanations or rely on screenshots without verifying source records.

Objections to expert reports should be technical and concrete. Counsel may request:

  • Additional expert report.
  • New expert panel.
  • Examination of original device.
  • Hash value verification.
  • Clarification of timestamps.
  • Identification of user accounts.
  • Analysis of malware possibility.
  • Review of IP allocation records.
  • Comparison with provider logs.
  • Explanation of deleted file recovery.
  • Separation of irrelevant private data.
  • Assessment of whether evidence was altered.

In complex cases, a party-appointed technical opinion may help the lawyer frame objections to the official expert report.

17. Defence Challenges in Digital Evidence Cases

Digital evidence can appear objective, but it is not always conclusive. Defence counsel should carefully analyze whether the evidence truly proves the accused person’s conduct and intent.

Common defence challenges include:

  • IP address does not identify the individual user.
  • Device was used by multiple people.
  • Account credentials were shared.
  • Password was saved in a browser.
  • Device may have been infected with malware.
  • Remote access may have occurred.
  • Logs are incomplete.
  • Timestamps are inconsistent.
  • Time zone conversion is wrong.
  • Evidence was collected outside authorization.
  • Screenshots are unsupported.
  • Expert report lacks technical reasoning.
  • Chain of custody is broken.
  • There is no proof of criminal intent.
  • The act is misclassified legally.

For example, in an unauthorized access case, the fact that a login came from a household IP address may not prove that the accused personally logged in. In a data deletion case, the fact that a user account performed deletion may not prove who physically used that account. In a phishing case, the fact that money entered a bank account may not prove that the account holder designed the phishing scheme.

18. Victim-Side Evidence Preservation

Victims should preserve digital evidence carefully before filing a complaint. In many cases, the quality of the initial evidence determines the success of the investigation.

Victims should:

  • Keep original messages.
  • Save URLs and timestamps.
  • Preserve e-mails with headers.
  • Take screenshots without deleting originals.
  • Avoid factory-resetting devices.
  • Preserve bank transaction records.
  • Request bank objection records.
  • Save platform notifications.
  • Preserve login alerts.
  • Keep cargo and delivery records.
  • Identify phone numbers and account names.
  • Avoid editing files.
  • Submit evidence in an organized chronology.

In cybercrime cases, complaints should request urgent collection of logs because digital traces may disappear quickly. A delayed complaint may make it impossible to identify IP records, hosting data, CCTV footage or bank account movements.

19. Digital Evidence in Appeal and Constitutional Review

Digital evidence issues may also become important at the appeal stage. If the first instance court relied on weak screenshots, incomplete expert reports, unlawful device searches or unverified IP records, these points should be raised in appeal.

Appeal arguments may focus on:

  • Insufficient reasoning.
  • Failure to address defence objections.
  • Conviction based on incomplete expert report.
  • Failure to collect exculpatory digital evidence.
  • Failure to examine original device.
  • Failure to obtain provider records.
  • Incorrect legal classification.
  • Use of unlawfully obtained evidence.
  • Violation of fair trial rights.

In serious cases, digital evidence errors may affect the right to a fair trial, privacy rights and the right to defence. The court must not treat technical evidence as unquestionable merely because it appears in an expert report.

20. Practical Checklist for Lawyers

A lawyer handling digital evidence in Turkish criminal proceedings should consider the following questions:

  1. What is the exact digital evidence relied upon?
  2. Who collected it?
  3. Was there a lawful authorization?
  4. Was CMK Article 134 followed where applicable?
  5. Was a forensic copy created?
  6. Were hash values recorded?
  7. Was chain of custody documented?
  8. Was the evidence altered after collection?
  9. Is there original source data?
  10. Are screenshots supported?
  11. Are timestamps reliable?
  12. Was the correct time zone used?
  13. Are provider records needed?
  14. Is the expert report complete?
  15. Does the evidence prove identity?
  16. Does the evidence prove intent?
  17. Is there an alternative technical explanation?
  18. Does the evidence include personal data or privileged material?
  19. Should unlawful evidence objections be raised?
  20. Is additional expert examination necessary?

This checklist is useful for both prosecution-side and defence-side practice.

Conclusion

Digital evidence in Turkish criminal proceedings is powerful, but it must be collected, preserved and challenged with precision. CMK Article 134 provides the central procedural framework for search, copying and seizure of computers, computer programs and computer records. Cybercrime investigations also rely heavily on provider records, IP logs, mobile phone extractions, e-mail headers, server logs, cloud records and expert reports.

For victims, the most important step is fast and careful preservation of original digital material. For companies, internal investigations must be lawful, documented and technically sound. For suspects and defendants, digital evidence must be challenged through chain of custody, authenticity, scope of authorization, forensic integrity, attribution and intent. For courts, digital evidence should not be treated as automatically reliable merely because it appears technical.

In modern Turkish criminal practice, many cases are won or lost through digital evidence. A screenshot may start an investigation, but a lawful, verifiable and properly preserved evidentiary chain is what makes digital proof persuasive. Effective legal strategy requires cooperation between criminal lawyers, forensic experts, data protection specialists and technical professionals.

Categories:

Genel

Yanıt yok

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

Our Client

We provide a wide range of Turkish legal services to businesses and individuals throughout the world. Our services include comprehensive, updated legal information, professional legal consultation and representation

Our Team

.Our team includes business and trial lawyers experienced in a wide range of legal services across a broad spectrum of industries.

Why Choose Us

We will hold your hand. We will make every effort to ensure that you understand and are comfortable with each step of the legal process.

Open chat
1
Hello Can İ Help you?
Hello
Can i help you?
Call Now Button